Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
The present Office Action is responsive to communications received on 3/16/2021. Claims 1-20 are pending.

Notes
The computer readable media claimed in claims 12-16 is not to be construed as signals, according to specifications ([0070]).

Response to Arguments
Regarding the prior art rejection, Applicant’s arguments are respectfully considered and are moot in view of the new ground of rejection presented herein.

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1-4, 6-7, 9-14 and 16-19 are rejected under 35 U.S.C. 103 as being unpatentable over US 9419942 to Buruganahalli et al., hereinafter  Buru, in view of US 20140109174 to Barton et al., hereinafter Barton.
Regarding claim 1, Buru discloses 
A computer-implemented method comprising: authenticating, by a client application, a network security agent  to dynamically obtain one or more security policies from the network security agent ((Fig. 3B col. 11, lines 58 to col. 12 line 15: client application and firewall handshake before establishing SSL connection (mutual authentication), wherein the client application and the network security agent are configured to execute on a user device (Fig. 4: firewall application executing in client device is the security device, and client application is a browser supporting TLS application with SNI extension (col. 4, lines 55-62)) ; obtaining, by the client application, connection information that includes a request to initiate an encrypted connection with a destination entity (col. 5, lines 14-41: use SNI extension on browser to extract destination domain (connection information) included in an https request (col. 5, lines 1-13) or attempt for setting a secure TLS channel (col. 4, lines 63-67)); determining, by the client application, whether the encrypted connection between the client application and the destination entity is permitted according to the one or more security policies and based on the connection information (col. 11, lines 50-58 the firewall uses the extracted destination domain and firewall policies , deny or authorize the request (col. 12, lines 15-33) and notifies the client (e.g. send back a ‘not-supported’ response back to client according to policies and connection information); therefore, the client receiving the response will determine the ; and establishing the encrypted connection between the client application and the destination entity in response to determining that the encrypted connection is permitted (col. 5, lines 25-41, and lines 52-67:  apply policies to extracted domain to determine whether to allow or deny encrypted communications).  Buru fails to explicitly teach the network security agent communicates with a source of security policies; requesting, by the client application, the one or more security policies from the network security agent, wherein the one or more security policies are obtained by the network security agent from the source of security policies; receiving, by the client application, the one or more security policies from the network security agent.
Barton in an analogous art discloses managed applications including a browser interacting with a client agent (Fig. 6) , [0026]). Barton discloses the network security agent communicates with a source of security policies (client agent communicate with gateway server which provides policies (Fig. 6)); requesting, by the client application, the one or more security policies from the network security agent, wherein the one or more security policies are obtained by the network security agent from the source of security policies ([0087]:  managed application including browser, which is wrapped by a management framework [0086], requests policies from the client agent, which in turn obtains the policies from the gateway server) ; receiving, by the client application, the one or more security policies from the network security agent 
It would have been obvious to a skilled artisan before the effective filing date of the instant application to get the policies from a server thru a client agent as taught by Barton, because the client agent acts as a user interface intermediary allowing to access policies for all managed applications in the user device more efficiently, instead of obtaining policies individually from each managed application.

Regarding claim 2, Buru in view of Barton discloses the computer-implemented method of claim 1, wherein determining that the encrypted connection between the client application and the destination entity is permitted comprises: obtaining an assessment list comprising a plurality of entity names and a corresponding plurality of assessment categories; determining an assessment category for the destination entity; and determining that the encrypted connection between the client application and the destination entity is permitted based on the assessment category (Buru, col. 5, lines 52-67: the assessment list is a whitelist listing allowed domains, to be matched to the destination domain in a request for a new SSL session).  

Regarding claim 3, Buru in view of Barton discloses the computer-implemented method of claim 1, wherein determining that the encrypted connection between the client application and the destination entity is permitted comprises: obtaining, from the client application, an action list comprising one or more assessment categories and one or more associated actions; providing, by the client application, a request to the network security agent for a domain assessment, wherein the request includes the connection information; obtaining, by the client application, an assessment category; 

Regarding claim 4, Buru in view of Barton discloses the computer-implemented method of claim 3, wherein the obtaining an assessment category is performed separately for each of a plurality of encrypted connections between the client application and one or more destination entities (Buru, col. 6, lines 1-23: for every new session request, the firewall (security agent) will evaluate whether the extracted target domain is in a whitelist or blacklist prior to setup the encrypted communication).
Regarding claim 6, Buru in view of Barton discloses the computer-implemented method of claim 1, wherein the encrypted connection uses a Transport Layer Security protocol (Buru col. 4, lines 36-40).  
Regarding claim 7, Buru in view of C Barton discloses the computer-implemented method of claim 1, wherein the connection information comprises one or more of: a field in a certificate, a domain name, and a Transport Layer Security server name indication (Buru, col. 7, lines 16-24: SNI).
Regarding claim 9, Buru in view of Barton discloses the computer-implemented method of claim 1, further comprising the client application communicating with the network security agent via an extension installed in the client application (Buru, SNI 
Regarding claim 10, Buru in view of Barton discloses the computer-implemented method of claim 1, wherein the client application is a web browser application (Buru col. 4, lines 62-63).  
Regarding claim 11, Buru in view of Barton discloses the computer-implemented method of claim 1, wherein the establishing the encrypted connection further comprises inserting a tag into an outbound data flow indicating that the one or more security policies have been applied to the encrypted connection (Buru, col. 12, lines 13-26: mark the session as SSL-tunneling-traffic and continue to monitor the session).  
Regarding claims 12-14 and 16, the claims recite substantially the same content as claims 1-3 and 9 respectively, and are rejected according to the rationales used for claims 1-3 and 9, respectively.
Regarding claims 17-19, the claims recite substantially the same content as claims 1-3 a respectively, and are rejected according to the rationales used for claims 1-3, respectively.

Claim 5, 15 and 20 are rejected under 35 U.S.C. 103 as being unpatentable over Buru, in view of Barton and further in view of US 20140140331 to Lee, hereinafter Lee.
Regarding claim 5, Buru in view of Barton discloses the computer-implemented method of claim 3 but fails to teach the method further comprising: providing, by the 
In an analogous art, Lee discloses providing, by the client application, one or more deliberately fictitious requests to the network security agent  for a domain assessment, wherein the one or more deliberately fictitious requests comprise fictitious connection information (([0022] client application  sends a probe request to access point through network controller 660 (Fig. 6), the request including a fake identifier for the client device (fictitious information),  [0032]: client application receives a probe response including identifier for access point , determines if received identifier is included in the list of authorized access points i.e domain assessment). It would have been obvious to a person skilled in the art before the application effective filing date to send fictitious requests as taught by Lee because it would allow to test the request first before sending a real request (Lee [0034][0035]). 
Regarding claims 15 and 20, the claims recite substantially the same content as claim 5 and are rejected using the rationales rejecting claim 5.

Claim 8 is rejected under 35 U.S.C. 103 as being unpatentable over Buru, in view of Barton and further in view of US 20160323318 to Terrill et al., hereinafter Terrill.
Regarding claim 8, Buru in view of Barton discloses the computer-implemented method of claim 1,  but does not explicitly teach the method further comprising: determining, by the client application, whether to query the network security agent in order to apply a security policy obtained from the network security agent for .

Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 

Any inquiry concerning this communication or earlier communications from the examiner should be directed to CATHERINE B THIAW whose telephone number is (571)270-1138.  The examiner can normally be reached on Monday-Friday 7am-4pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, CARL G COLIN can be reached on 571-272-3862.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.






/Catherine Thiaw/Primary Examiner, Art Unit 2493                                                                                                                                                                                                        6/24/2021